Celebrating our 100th issue of #MobSec5 with exciting innovation news of our own! We were pleased to announce the release of NowSecure Jailed Testing for iOS with new NowSecure Gadget technology this week. Kudos to our product, development and engineering teams for their hard work keeping NowSecure at the leading edge of mobile application testing technology.
This week’s #MobSec5 includes these topics and more!
- TLS now default for Android
- Popular messaging app banned in Russia
- iOS 11.4 released to public beta group
- Intelligent dairy app monitors cows’ health
- FTC urges security within test environments
- And more!
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
Mobile Security Index 2018
(Verizon Enterprise Solutions)
“Almost all respondents (93%) agreed that mobile devices present a serious and growing security threat. Despite this, many were failing to take basic precautions. Only 39% said they change all default passwords and over half (51%) didn’t have a public Wi-Fi policy.”
You can register for the Verizon Mobile Security Index 2018 here. Wondering where to start building or improving your mobile application security testing program? NowSecure’s tenured team of mobile appsec professionals are always available to assist with assessments and defining requirements to promote mobile AST best practices, optimize workflow and meet industry regulatory requirements.
Protecting users with TLS by default in Android P
(Android Developers Blog)
“Android is committed to keeping users, their devices, and their data safe. One of the ways that we keep data safe is by protecting all data that enters or leaves an Android device with Transport Layer Security (TLS) in transit. As we announced in our Android P developer preview, we’re further improving these protections by preventing apps that target Android P from allowing unencrypted connections, by default.”
As Android works to further encourage continuous encrypted data protection, they’ve now made TLS default, with the option to request access to clearttexttraffic, as needed to meet legacy requirements.
Digital Dairy App Helps Milk Data at Waynesboro Farm
“The product, an app called Ida, lets him know when the cow is standing or resting. It lets him know when she eats and drinks, and how much. And most important, it lets him know whether she is healthily producing the milk his farm depends on for its survival.”
“Apple today seeded the first beta of an upcoming iOS 11.4 update to its public beta testing group, one day after seeding the beta to developers and a little under a week after releasing iOS 11.3, the last major update to the iOS 11 operating system.”
The 9th annual Hack in the Box Netherlands Security Conference happened this week, generating many useful presentations for the community. All presentation slides are posted here. A few interesting topics for the mobile appsec community are below.
- Uncovering the Android patch gap through binary-only patch analysis
- Digging Deep: How to Find and Exploit Bugs in IoT Devices
Russian Court Rules to Block Telegram ‘Immediately’
(The Moscow Times)
“A Moscow court has ruled to ban the popular Telegram instant messaging service in Russia over its refusal to hand over tools that would allow the authorities to decrypt private conversations.”
FTC addresses Uber’s undisclosed data breach in new proposed order
(Federal Trade Commission)
“Among the lapses the FTC challenged, one proved particularly damaging: Uber’s policy of allowing its staff to use a single access key that provided full admin privileges over the sensitive data Uber stored in clear, unencrypted text on that cloud service. Why was that decision so fateful? Because when an Uber engineer publicly posted an access key on GitHub, a code-sharing site popular with software developers, an intruder used that all-access backstage pass to grab personal data about more than 100,000 people.”
The FTC’s advice to add security during pre-production testing is something every company should consider. NowSecure AUTO can quickly test pre-production binaries for vulnerabilities, leveraging automation to keep the app moving through the agile development cycle. See how NowSecure provides fast, accurate mobile app security tests in under an hour.
“Google has long struggled with how best to get dozens of Android smartphone manufacturers—and hundreds of carriers—to regularly push out security-focused software updates. But when one German security firm looked under the hood of hundreds of Android phones, it found a troubling new wrinkle: Not only do many Android phone vendors fail to make patches available to their users, or delay their release for months; they sometimes also tell users their phone’s firmware is fully up to date, even while they’ve secretly skipped patches.”
Signal Bypass Screen locker
(Nint.en.do Hackers Public Disclosure Group)
“The vulnerability, triggered by some click sequence, allows anyone to bypass password and TouchID authentication protections that iOS users can set on their device in order to increase application security and confidentiality.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.